[Freeipa-users] Question on freeipa-server-trust-ad
Coy Hile
coy.hile at coyhile.com
Sat Apr 4 05:07:15 UTC 2015
Hi all,
What purpose does this package serve? The way I’ve done Kerberos between Active Directory and AD, the trust was always one way (outgoing): the MIT realm is authoritative and AD “shadow accounts” were mapped to ‘real’ principals via the alternateSecurityID attribute. Looking at what freeipa-server-trust-ad installs, it appears the dependencies installed are around letting someone a bidirectional trust (or at least let the AD users be authoritative). If one wants to setup his trust in the way I described, all he really needs to do in MIT land is create
krbtgt/AD.REALM at MIT.REALM
in the MIT Realm.
Is there a ‘supported’ way to do something similar with FreeIPA? Time to break out kadmin.local -x ipa-setup-override-restrictions? Or would that not drop the principal in the right place in the LDAP tree?
--
Coy Hile
coy.hile at coyhile.com
More information about the Freeipa-users
mailing list